Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-extended-error and combinations of EDEs and RCODEs

Tony Finch <dot@dotat.at> Fri, 13 September 2019 20:01 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14F75120132 for <dnsop@ietfa.amsl.com>; Fri, 13 Sep 2019 13:01:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JgqH-tJMPQMl for <dnsop@ietfa.amsl.com>; Fri, 13 Sep 2019 13:01:35 -0700 (PDT)
Received: from ppsw-43.csi.cam.ac.uk (ppsw-43.csi.cam.ac.uk [131.111.8.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99EB8120118 for <dnsop@ietf.org>; Fri, 13 Sep 2019 13:01:35 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:33080) by ppsw-43.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1i8rl7-000PTr-nn (Exim 4.92.2) for dnsop@ietf.org (return-path <dot@dotat.at>); Fri, 13 Sep 2019 21:01:33 +0100
Date: Fri, 13 Sep 2019 21:01:33 +0100
From: Tony Finch <dot@dotat.at>
To: dnsop@ietf.org
In-Reply-To: <AACC9277-D817-4384-99D9-4F65EE809F0C@dukhovni.org>
Message-ID: <alpine.DEB.2.20.1909132047400.5352@grey.csi.cam.ac.uk>
References: <EA557043-34D1-43EA-B750-4A17CFC6BE50@icann.org> <ybl36h4aj8x.fsf@w7.hardakers.net> <AFE92D06-8418-4451-A827-D5656C83B796@icann.org> <yblzhjbeova.fsf@w7.hardakers.net> <067589D2-8E7E-47FA-867C-72E266A55D6D@icann.org> <CADyWQ+EB-eotvTdYwNv5Oo4=-mibdgEgpkQ3yh37orAwp-AgWg@mail.gmail.com> <ybly2yubfnp.fsf@w7.hardakers.net> <21136294-FDFD-4A99-9529-E79C45E79535@icann.org> <yblzhja9kz3.fsf@w7.hardakers.net> <3AC375B1-D858-4577-AEBE-4BB7CD40C241@icann.org> <1878161734.14716.1568306548325@appsuite-gw1.open-xchange.com> <0C5DC6B2-E9C5-46A6-B0BA-12830A405DD2@dukhovni.org> <775d97e3-65b0-832a-6118-a3c64d872539@bellis.me.uk> <F7A157E6-9773-4B6F-90C8-761D1B3CFC00@icann.org> <AACC9277-D817-4384-99D9-4F65EE809F0C@dukhovni.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pTZXm1c7P-p2AcQXVcVn0GRL0AA>
Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-extended-error and combinations of EDEs and RCODEs
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 20:01:37 -0000

Some questions about the intended meanings...

3.6.  Extended DNS Error Code 5 - DNSSEC Indeterminate

If I remember correctly, there isn't a consistent definition of what
"indeterminate" means. Perhaps it's worth adding a reference to the
intended definition.

[ actually maybe all the codes could have citations to where the error
cases are mentioned in existing specifications, perhaps with a comment
that the citations are not intended to be exhausive ]

3.5.  Extended DNS Error Code 4 - Forged Answer
3.16.  Extended DNS Error Code 15 - Blocked
3.17.  Extended DNS Error Code 16 - Censored
3.19.  Extended DNS Error Code 18 - Filtered

I don't understand the shades of meaning that these are supposed to
distinguish.

wrt "filtered", the description implies vaguely RPZ flavoured filtering,
but it mentions a REFUSED RCODE which isn't what a sensible implementation
would use for that purpose, so I am more confused.

3.18.  Extended DNS Error Code 17 - Prohibited

If I understand correctly, the four above are about the qname whereas this
is about the client? The ordering is a bit confusing.

3.21.  Extended DNS Error Code 20 - Lame

This needs to be split into two: server doesn't know about the zone
queried for (typically RCODE=REFUSED), and server knows about the zone but
it has expired (typically RCODE=SERVFAIL).

Resolvers handling RD=0 queries typically answer from cache or would
answer REFUSED/Prohibited, I would have thought.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>;  http://dotat.at/
Hebrides, Bailey: West, backing south for a time, 4 to 6, increasing 7 to
severe gale 9, occasionally storm 10 in Hebrides. Rough or very rough,
becoming high or very high. Rain or showers. Good, becoming moderate or poor.